HABEAS DATA

Data protection policy

1. RULES GOVERNING THE PROCESSING OF PERSONAL DATA

The Constitution of Colombia in its catalog of fundamental rights enshrines in Article 15 the right of all persons to their privacy, good name and habeas data. Additionally, Law 1581 of 2012 – Personal Data Protection Law-, Decree 1377 of 2013 and 886 of 2014 define the conditions for the processing of personal data.

NORA LOZZA in its capacity as Responsible for the treatment of Personal Information is committed to compliance with the aforementioned regulations and, as a consequence, will promote respect for the principles and rules on the protection of personal data by its employees and those in charge of data processing. , advancing processes of continuous improvement and ensuring compliance with the Law in the development of the activities of their nature.

2. DEFINITIONS

NORA LOZZA has the following definitions for the correct interpretation of the guidelines in this policy. Next, the main concepts related to the processing of personal data within the framework of the operations associated with the activities developed by NORA LOZZA are defined:

Authorization: Prior, unequivocal and informed consent of the owner of the data to carry out the processing of your personal information.

Authorized: Person authorized by a holder of personal data to perform any type of procedure or application to the company on behalf of who authorized.

Database: Any organized set of personal data that allows access to data according to certain criteria, whatever the form or modality of its creation, storage, organization and access.

Client: Natural or legal person who has acquired the services offered by NORA LOZZA, especially those related to the trade of the products made and distributed by the company and the other activities that are related to the development of its corporate purpose.

Causairents: For a person to be the successor of another, it is necessary that the person directly causes a legal link. It is understood as a successor who inherits the deceased.

Consultation: Request of the owner of the data or the persons authorized by it or by law to access the information that rests in any database, whether it is contained in an individual record or that is linked to the identification of the Owner.

Private data: They are related to the private sphere of people: books of merchants, data contained in private documents, tastes or personal contact data.

Public data: It is the data that is not semi-private, private or sensitive. They are considered public data, among others, the data relative to the civil status of the people, to their profession or trade and to their quality of merchant or public servant. By their nature, public data may be contained, among others, in public records, public documents, gazettes, official bulletins and judicial sentences duly executed that are not subject to reservation.

Semi-private data: Their access is subject to some degree of restriction, they interest a certain sector or group of people: financial or credit, academic, labor data, etc.

Sensitive data: Sensitive data is understood to be those that affect the privacy of the Holder or whose improper use may generate discrimination, such as those that reveal racial or ethnic origin, political orientation, religious or philosophical convictions, union membership, social organizations, of human rights or that promotes the interests of any political party or that guarantees the rights and guarantees of opposition political parties, as well as the data related to health, sexual life and biometric data.

In charge of the treatment: the natural or legal person, public or private, the administrative administrator who, alone or jointly with others, deals with personal data on behalf of the company, as a consequence of the existence of a legal relationship that delimits the scope of its action for the provision of a service.

Identifiable person: Any person whose identity can be determined, directly or indirectly, with physical information referring to their physical, physiological, psychological, economic, cultural or social identity. A natural person is not considered identifiable like this.

Recover: Request of the owner of the data or the persons authorized by it or by law to correct, update, or delete their personal data or to revoke the authorization in the cases established by law.

Provider: Natural or juridical person who contractually assumes with NORA LOZZA, with their own and other people’s human and material resources, the commitment to execute all or part of the works or services subject to a project and / or contract. When a supplier is an individual and, in turn, hires a staff to develop the entrusted project, the responsibility to request the authorization of the data processing will be from the provider. For the purposes of processing information, the provider delivers personal data, managed by the company.

Responsible for the management of information: Person (s) who have been appointed internally by the company to exercise the formal function of coordinating and controlling the complaints, requests or claims that the holders formulate.

Responsible for the processing of information: Natural or legal person who decides the administration and management of personal data under his charge.

Data subject: Natural person owner and owner of the data on the companies from which any type of treatment is created.

Worker: It is every person who is in labor conflict is linked to the company.

Transfer: Sending personal data made by the person responsible for the transfer from Colombia.

Transmission: Processing of personal data that implies the communication of same within or transmission of Colombia that has the purpose of carrying out a treatment on behalf of the person in charge.

Data processing: Any operation or technical procedure, or non-automated, that allows the collection, storage, use, circulation and suppression.

3. PRINCIPLES THAT GUIDE THE PROCESSING OF PERSONAL INFORMATION

NORA LOZZA developing its NORA LOZZA in development of its commitment to the responsible treatment of information, actions and decisions implemented to achieve common objectives are guided by the following principles:

Principle of legality in the field of data processing: The treatment of information is a regulated activity that must be subject to the provisions of law 1581 of 2012 – Law of protection of personal data and other provisions that develop it.

Principle of purpose: The treatment of the information of NORA LOZZA obeys a legitimate purpose in accordance with the Constitution and the Law, which is informed to the Holder.

Principle of freedom: The treatment is exercised in accordance with the prior, express and informed consent of the owner of the data. The personal data of the holders are not obtained or disclosed without prior authorization, or in the absence of legal or judicial mandate that reveals the consent. The foregoing is interpreted in an integral manner with the principle of freedom in data management.

Principle of truth or quality: The information subject to treatment by NORA LOZZA is truthful, complete, and accurate. In this aspect, the owner plays a key role: it is understood that the information is true, if it is provided based on the principle of good faith.

Principle of transparency: In the treatment the right of the owner to obtain from NORA LOZZA, at any time and without restrictions, information about the existence of data concerning him is guaranteed.

Principle of access and restricted circulation: The treatment carried out by NORA LOZZA is subject to the limits that derive from the nature of personal data, the provisions of Law 1581 of 2012 and the Constitution. In this sense, the treatment is carried out by persons authorized by the owner.

Principle of security: The information that NORA LOZZA or its attendants of the treatment to which the present Policy of Treatment of the Information talks about, will be handled with the technical, human and administrative measures that are necessary to grant security to the registries avoiding their alteration loss, consultation, use or unauthorized or fraudulent access.

Principle of confidentiality: All the human talent of NORA LOZZA that intervenes in the processing of personal data that does not have the nature of public is obliged to guarantee the reservation of information, even after the end of its relationship with any of the tasks included in the treatment, being able to only supply or communicate personal data when this corresponds to the development of the activities authorized in this Information Processing Policy or in the 1581 law of 2012.

4. PERSONAL INFORMATION

Within the development of the functions of NORA LOZZA, it is stated that there is a relationship with natural persons or legal persons headed by a natural person who acts as legal representative, it is required to know and process personal data corresponding to the categories of public, semi-private, private data and sensitive data.

5. INFORMATION HOLDERS

NORA LOZZA deals with information of the following owners:

Workers

Former workers

Apprentices

Owners

Suppliers

Customers

Potential customers

Potential suppliers

Visitor

Relatives of the worker.

6. PURPOSES OF THE PROCESSING OF PERSONAL DATA

The information submitted to processing within the development of the activities of the corporate purpose of NORA LOZZA, will be used for the proper execution of our internal projects and operations. The purposes for which we collect data and treat personal information are listed below:

Start the worker selection process directly or through a third party, together with the procedures indicated for this purpose.

Carry out the recruitment of human talent that successfully passed the selection process and other activities related to the management of human talent

Keep historical of direct employees, active and inactive employees of the company.

Recording, capture, transmission, storage and reproduction in real time or later of images by video surveillance systems, access controls, closed television circuits, with the aim of guaranteeing the security of goods and people in the company’s facilities and its stores or branches.

Maintain communication channels with customers using means such as telephone calls, emails, text messages, among others; for the execution of communication, dissemination and promotion campaigns of NORA LOZZA products, activities or services.

Register information of potential clients, in order to be able to deliver information regarding offers, products and services offered by the organization.

Maintain contact with the suppliers with whom concession, civil and commercial contracts are entered into; When this is a legal entity, personal information may be known about the person (s) designated contact (s) for the supervision of the service or work contracted, as well as about the personnel that he / she is in charge of or arranges for his / her execution, information that will be used exclusively for the purposes that concern the development of the contract.

Contact for complaints, claims and / or guarantees against the product purchased and timely response to problems or problems that arise in the provision of services or in the execution of other activities related to the corporate purpose of the company.

Perform the dissemination of special events, news and interesting activities organized by the company.Sending commercial information to owners, in order to inform about news about the products or services of Chic Marroquinería.

Registration and traceability of invoices filed by suppliers and documents that enter and leave the company’s facilities and / or headquarters.

Report and store the tax information to the competent entities.

Make the selection, contracting and contact record for the entry of suppliers.

Accounting History of the company.

Control of NORA LOZZA staff schedules.

Perform through any means directly or through third parties: billing development of commercial and marketing activities, conducting satisfaction surveys of NORA LOZZA products and services, sending information on news, products, services and special offers (mailings ), portfolio management, collection verification, conducting studies for statistical purposes of customer knowledge, telephone service, verification, consultation and control, as well as any other related to our current and future products and services, for the fulfillment of contractual obligations and the corporate purpose of the company.

Share information to third parties in charge and interested in the treatment, which are previously authorized by the owner of the personal data.

7. RIGHTS OF THE HOLDERS

The persons whose personal information is subject to treatment by NORA LOZZA hold the status of holders, by virtue of which they may exercise the following rights recognized by the Constitution and the Law:

Know, update and rectify personal data. In order to guarantee this right, the identity of the owner or the legitimated quality must be accredited, in order to prevent unauthorized third parties from accessing personal information.

Obtain a copy of the authorization they have granted as data owners.

Know the treatment that is being carried out on personal data by the company.

Formulate queries and claims to safeguard your right to the protection of personal data in accordance with the guidelines established in the law and in the terms of this policy.

Request the deletion of personal data or revoke the authorization granted when, through a judicial or administrative process, it is determined that the legal and constitutional provisions on the matter were violated in the processing of their information.

Access your personal data for free. The information requested by the owner may be provided by any means that allows him to know, including electronic.

In the attention and processing of the information queries raised by the owner, the order against the individual will be taken into account in article 21 of Decree 1377 of 2013, which establishes:

“The Owner may consult their personal data free of charge: (i) at least once each calendar month, and (ii) whenever there are substantial modifications to the Information Treatment Policies that motivate new consultations.

For inquiries whose periodicity is greater than one for each calendar month, the person in charge may only charge the owner the costs of sending, reproducing and, where appropriate, document certification. The costs of reproduction can not be greater than the costs of recovering the corresponding material. For this purpose, the responsible party must demonstrate to the Superintendence of Industry and Commerce, when it so requires, the support of said expenses. ”

7.1. THE EXERCISE OF THE RIGHTS OF THE HOLDER NORA LOZZA

in order to ensure the exercise of the rights of the owner, has the following channels of service to receive queries and complaints made by the owner in relation to the protection of their personal data:

In the main office of NORA LOZZA, located in Carrera 18 No. 38 -10 Piso 5 Bucaramanga, Santander. for the physical reception of the documents that contain the query or claim.

7.2. MINIMUM CONTENT OF THE APPLICATION

The requests presented by the owner in order to make a query or complaint about the use and handling of their personal data must contain minimum specifications, so that the owner can be provided a clear and consistent response to the request. The requirements of the application are:

Be addressed toCHIC MARROQUINERIA SAS/ NORA LOZZA.

Contain the identification of the Holder (name and identification document)

Contain the description of the facts that motivate the query or claim in relation to the protection of personal data.

Indicate the address of notification of the Holder.

Attach the documents you want to assert. (Especially for claims).

8. RESTRICTIONS ON THE RIGHTS OF THE HOLDER

The revocation of the authorization and / or request for deletion of personal data will not be appropriate when the owner has a legal or contractual obligation that requires their stay in the NORA LOZZA database, as in the case of suppliers and workers. However, the information regarding the inactive holders may remain in the databases in compliance with the rules of the General Social Security System, the Commercial Code, the Tax Statute and other legal provisions, which require the preservation of historical information. and accounting for strictly legal terms so it can not be deleted on all occasions.

9. PROCEDURE FOR THE ATTENTION OF CONSULTATIONS AND CLAIMSS

In relation to the consultations, these will be attended within a maximum term of ten (10) business days counted from the day of receipt of the same. When it is not possible to attend the consultation within said term, the interested party will be informed of the reasons, indicating the new date on which his consultation will be resolved, which will not exceed five (5) business days following the expiration of the first term. Next, the corresponding diagram is related.

Figure 1. Consultation procedure.

Claims will be handled within a maximum term of fifteen (15) business days from the day following the date of receipt thereof. NORA LOZZA may extend the response term in special cases giving notice to the interested party. This new term will not exceed eight (8) business days. Next, the corresponding diagram is related.

Figure 2. Claim procedure

10. THIRD PARTY AUTHORIZATION

When the owner wishes to make a request or request the updating and rectification of their personal data through a third party, they must send to NORA LOZZA, either physically or by e-mail, the proper authorization by which they are empowered to exercise their rights as a holder. The presentation of the authorization is a mandatory requirement to guarantee the reservation of information against unauthorized third parties.

The authorization must be made through a special power which must contain at least the following:

Identification of the holder that authorizes

Name and identification data of the authorized person.

Time by which you can consult, update or rectify the information (only once, for a year, for the duration of the legal relationship, or until a new order, etc.).

Voluntary nature and free of authorization.

Copy of the holder’s citizenship card

11. RESPONSIBLE AREA FOR THE ATTENTION OF CONSULTATIONS AND CLAIMS

The area designated to receive, address and respond to inquiries and claims that raise the owners is the area of ​​accounting.

12.OBLIGATIONS OF THE PERSON RESPONSIBLE FOR THE PROCESSING OF PERSONAL DATA

NORA LOZZA, in his capacity as Information Manager, has the following obligations to the holders of the information:

Guarantee the holder the full exercise of the right of Habeas Data.

Request and keep a copy of the treatment authorization granted by the owner.

Properly inform the owner about the purpose of the collection of your data and the rights that assist you under the authorization granted.

Keep the information under optimal security conditions, those necessary to prevent its adulteration, loss, consultation, use or unauthorized or fraudulent access.

Update the information, including all the news regarding the data previously provided by the owner and adopt the other necessary measures so that the information received is kept up-to-date.

Rectify the information when it is incorrect.

Process the queries and claims formulated.

Inform at the request of the owner about the use given to their data.

Inform the data protection authority when there are violations of the security codes and there are risks in the administration of the information of the owners.

13.TREATMENT OF SENSITIVE DATA

In the processing of personal data of a sensitive nature that NORA LOZZA performs, it will be with the free, prior, express and duly informed authorization of the owner, in full compliance with the duty of confidentiality and security of the information.

The supply of sensitive personal data will be optional for the owner, and may be refrained from delivering them when desired. However, these data will be necessary in some occasions for the correct provision of the logistics services offered by the organization.

14.VALIDITY OF THE PERSONAL DATA PROCESSING POLICY

The guidelines and guidelines contained in this policy will be effective as of August 2017 and will render ineffective any other Personal Data Processing Policy previously adopted by NORA LOZZA.

15. VALIDITY OF THE DATABASE

Databases that store information on owners who have contractual relationships or must remain by virtue of law will remain in effect until the need for treatment ends. The foregoing without prejudice to the exercise of the rights of suppression that assist the Holder.

16.CHANGES AND MODIFICATIONS

The changes and modifications of a substantial order that are incorporated in this policy after its entry into force, will be communicated to the owner five days before the implementation of the variations.

The notification about the modifications that will be made, may be sent by the appropriate means of communication, such as: email or in the physical facilities of CHIC MARROQUINERIA.